11-14-2021 02:46 AM
Hi
new deployment for a customer running 9120axi APs.
all setup and working with a Corp and a Guest WLAN.
the issue comes when I try to add a ACL to our Guest and Corp WLAN via policy the users get incorrect password and are not able to connect to the SSID.
as soon as I remove ACL all is ok.
it seems not matter what ACL added (blank ACL with just permit all) the username gets the incorrect password on device when trying to connect.
all we are trying to do is separate the guest traffic being able to access the Corp subnet which all the network is running from on a cat9300 .?
version 17.6 las test has been installed on EWC.
L3 on switch
vlan 20 -Guest 192.168.x.x -iphelper 172.22.x.x
vlan 30 -Corp 172.40.x.x -iphelper 172.22.x.x
vlan 40 -Mgmt -native vlan 172.50.x.x
users using PSK (customer choice on this )
Is it a bug or would you say a limitation on a 9120 EWC ?
11-14-2021 07:19 AM
Hi,
How and where dis you define the ACL for the WLAN? if I were to isolate Guest traffic I would consider any of the below (Please note all EWC ap’s are in Flex connect mode)
1. Keep Guest in a different VRF at upstream switch
2. Apply an ACL in L3 to deny RFC1918 ranges with permit ip any any as the last statement. If you have internal DNS, DHCP make sure to allow them
3. If you have an upstream firewall extent the L3 SVI for Guest VLAN to the firewall. This may require changes at ur firewall connecting ports at switch(Trunk) as well.
11-14-2021 07:40 AM
Hi Arshad
Thanks for the reply...
Im adding in the ACL on the 9120 EWC controller and then adding it into the policy for each WLAN.
more info is below - i was trying to use the EWC for this as per the ACL in the documents..
if i have to add this to the 9330 L3 switch what is the ACL on the EWC used for ?
!
ip access-list extended Corp_ACL
1 deny ip 172.30.0.0 0.0.255.255 192.168.50.0 0.0.0.255
2 deny ip 192.168.50.0 0.0.0.255 172.30.0.0 0.0.255.255
3 permit ip 172.30.0.0 0.0.255.255 any
4 deny ip any any
ip access-list extended Guest_ACL
1 deny ip 192.168.50.0 0.0.0.255 172.30.0.0 0.0.255.255
2 deny ip 172.30.0.0 0.0.255.255 192.168.50.0 0.0.0.255
3 permit ip 192.168.50.0 0.0.0.255 172.30.2.1 0.0.0.255
4 deny ip any any
192.168.50.0/24 - Guest_ACL
172.23.50.0/24 - Corp_ACL
172.30.2.1 - DHCP Server on LAN side
error message we get when ACL is on EWC -
The controller says %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (d6a9.97ef.661a) on Interface capwap_90000004 AuditSessionID 000000000000004B10D203AA. Failure Reason: ACL Failure.
11-14-2021 07:51 AM
Did you add the ACL to the Flex-Profile? This is needed to get the ACL "pushed" to the AP where the filtering is applied.
11-14-2021 08:04 AM
Hi Karsten
I did try adding into the Flex profiel i setup with the vlan L2 Corp /Guest and the ACL with it.
for both Corp and Guest i did - Flex-profiel - vlan- vlan name- vlan id - ACL name
Do you not need to add the ACL to the poilcy profile at all then ? i was working from the document
I will try again tomomrrow and see what logs i get back..
11-14-2021 12:19 PM
There are multiple options available, WLC also gives you the flexibility do ACL's. Where to do the filtering completely depends on your design and operational requirements, in my opinion if you are to filter packets at WLC or AP level I see that as complicating the network, I feel it is more cleaner when you do this at upstream level as this will take the unnecessary burden from the WLC or AP's. But the new WLC's and AP's are capable enough to handle moderate task. (I do not have impact analysis of enabling ACL's in WLC or AP, just my opinion)
My ACL would look like below.
For Guest
ip access-list extended Guest_Block
permit udp 192.168.50.0 0.0.0.255 host 172.30.2.1
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.0.0.0 0.0.15.255
deny ip any 192.0.0.0 0.0.255.255
permit ip 192.168.50.0 0.0.0.255 any
It is very important to note that when applying Flex ACL's you have to select the correct direction. Ingress means traffic directed towards the client and egress means traffic towards the LAN.
11-15-2021 02:37 AM
Hi Arshad
Still not workig even if i add in a deny all IP ACL to the flex account vlan 50 (guest) all traffic still allowed...
its like its not even seeing the ACL on the WLAN..
11-15-2021 02:42 AM
Did you apply ingress or egress in Flex profile?
11-15-2021 03:18 AM
Hi Arshad
I tried both ways still the same...
why is there a WLAN ACL in policy profile for Guest as i can add in the acl there aswell but when i do that the users gets incorrect password ?
im using the below Cisco doc for ref but nothing in there about separating Guest from Corp users..
11-15-2021 06:16 AM
When you SSH into your AP (not EWC), do you see your ACLs with a "show access-list"?
11-15-2021 10:50 AM
Hi Karsten
I will try this tomorrow and let you know
Thanks for the suggestion..
11-16-2021 04:32 AM
Hi All
Still no joy with this see below looks like the AP isnt getting any info from the EWC ?
AP# sh flexconnect vlan-acl
<cr>
AP# sh flexconnect vlan-acl
Flexconnect VLAN-ACL mapping-- ingress vlan
ACL disabled on ingress vlan
No configured vlans
Flexconnect VLAN-ACL mapping-- egress vlan
ACL disabled on egress vlan
No configured vlans
11-16-2021 05:04 AM
At this point best option is to reach out to TAC. But I would still consider implementing the same ACL in upstream Layer3 device as all the EWC related deployments are Flex AP's.
11-29-2022 12:58 AM
The guide is not very clear on this but the ACL is working but for EWC or Flex you need some extra configuration, on EWC / Flexconnect there are two ways to configure an ACL:
- On the flexconnect profile attached to the vlan
- On the wlan
But for both you need to configure the policy-acl also on the flexconnect profile to push the acl to the flexconnect Aps.
For example an Guest wlan with 192.168.10.0 subnet which you want to allow internet but not internal resources.
The ACL works both ways Ingress/ egress and you have to take into account also the return traffic:
Acl on flexconnect vlan:
ip access-list extended GUEST
10 permit udp any eq bootpc any eq bootps
11 permit udp any eq bootps any eq bootpc
20 permit ip any 192.168.10.0 0.0.0.255
31 deny ip any 10.0.0.0 0.255.255.255
32 deny ip any 172.16.0.0 0.15.255.255
33 deny ip any 192.168.0.0 0.0.255.255
40 permit ip any any log
41 permit icmp any any
wireless profile flex default-flex-profile
acl-policy GUEST
vlan-name Guest
acl GUEST
vlan-id 10
the acl on the wlan:
wireless profile flex default-flex-profile
acl-policy GUEST
wireless profile policy Guest
ipv4 acl GUEST
You can confirm by connecting to the CLI of the flex AP with commands:
wireless ewc-ap ap shell username admin
show client access-lists post-auth all <Mac Address>
show flexconnect vlan-acl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide